Add SELinux contexts for neutron log directory

The log directory for neutron has the default_t SELinux context and this prevents rsyslog from accessing neutron's logs. This patch ensures that the file contexts are set properly for neutron's logs. This change also makes neutron's log directory configurable using the `neutron_log_dir` variable. Closes-Bug: 1748968 Change-Id: Ifbcca131435c8963cc9c1b85c000cc040fab27ab
2018-02-13 15:57:04 -06:00 · 2018-02-13 15:57:04 -06:00 · 1664cb0009
parent cd580de2c2
commit 1664cb0009
6 changed files with 37 additions and 18 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -31,6 +31,8 @@ neutron_package_state: "latest"
 ### Python code details
 ###

+neutron_log_dir: "/var/log/neutron"
+
 # Set the package install state for pip_package
 # Options are 'present' and 'latest'
 neutron_pip_package_state: "latest"
@ -100,7 +102,7 @@ neutron_dns_domain: "openstacklocal."
 # Dnsmasq doesn't work with config_template override, a deployer
 # should instead configure its own neutron_dhcp_config key/values
 neutron_dhcp_config:
-  log-facility: "/var/log/neutron/neutron-dnsmasq.log"
+  log-facility: "{{ neutron_log_dir }}/neutron-dnsmasq.log"

 # Set the neutron lbaasv2 user group, defaults from os specific vars
 neutron_lbaasv2_user_group: "{{ _neutron_lbaasv2_user_group }}"
--- a/tasks/neutron_pre_install.yml
+++ b/tasks/neutron_pre_install.yml
@ -51,9 +51,9 @@

 - name: Test for log directory or link
  shell: |
-    if [ -h "/var/log/neutron"  ]; then
-      chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "/var/log/neutron"
-      chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink /var/log/neutron)"
+    if [ -h "{{ neutron_log_dir }}"  ]; then
+      chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "{{ neutron_log_dir }}"
+      chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink {{ neutron_log_dir }})"
    else
      exit 1
    fi
@ -69,7 +69,7 @@
    group: "{{ item.group|default(neutron_system_group_name) }}"
    mode: "{{ item.mode|default('0755') }}"
  with_items:
-    - { path: "/var/log/neutron" }
+    - { path: "{{ neutron_log_dir }}" }
  when: log_dir.rc != 0

 - name: Drop sudoers file
--- a/tasks/neutron_selinux.yml
+++ b/tasks/neutron_selinux.yml
@ -56,3 +56,20 @@
  file:
    path: "/tmp/osa-neutron-selinux/"
    state: absent
+
+- name: Stat neutron's log directory
+  stat:
+    path: "{{ neutron_log_dir }}"
+  register: neutron_log_dir_check
+
+- name: Set SELinux file contexts for neutron's log directory
+  sefcontext:
+    target: "{{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}(/.*)?"
+    setype: neutron_log_t
+    state: present
+  register: selinux_file_context_log_files
+
+- name: Apply updated SELinux contexts on neutron log directory
+  command: "restorecon -Rv {{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}"
+  when:
+    - selinux_file_context_log_files | changed
--- a/templates/neutron-ha-tool.py.j2
+++ b/templates/neutron-ha-tool.py.j2
@ -48,7 +48,7 @@ def load_local_logging():

    user = os.getuid()
    home = os.path.expanduser('~')
-    log_dir = '/var/log/neutron'
+    log_dir = '{{ neutron_log_dir }}'
    filename = '%s.log' % LOG_NAME

    if user == 0:
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@ -21,7 +21,7 @@
 use_stderr = False
 debug = {{ debug }}
 fatal_deprecations = {{ neutron_fatal_deprecations }}
-log_file = /var/log/neutron/neutron.log
+log_file = {{ neutron_log_dir }}/neutron.log

 ## Rpc all
 executor_thread_pool_size = {{ neutron_rpc_thread_pool_size }}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -378,7 +378,7 @@ neutron_services:
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: dhcp_agent.ini
   service_rootwrap: rootwrap.d/dhcp.filters
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file=/var/log/neutron/neutron-dhcp-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file={{ neutron_log_dir }}/neutron-dhcp-agent.log"
   config_overrides: "{{ neutron_dhcp_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_dhcp_agent_init_overrides }}"
@ -390,7 +390,7 @@ neutron_services:
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: plugins/ml2/openvswitch_agent.ini
   service_rootwrap: rootwrap.d/openvswitch-plugin.filters
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file=/var/log/neutron/neutron-openvswitch-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file={{ neutron_log_dir }}/neutron-openvswitch-agent.log"
   config_overrides: "{{ neutron_openvswitch_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_openvswitch_agent_init_overrides }}"
@ -402,7 +402,7 @@ neutron_services:
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: plugins/ml2/linuxbridge_agent.ini
   service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file=/var/log/neutron/neutron-linuxbridge-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file={{ neutron_log_dir }}/neutron-linuxbridge-agent.log"
   config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_linuxbridge_agent_init_overrides }}"
@ -413,7 +413,7 @@ neutron_services:
   service_en: "{{ neutron_metadata | bool }}"
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: metadata_agent.ini
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file=/var/log/neutron/neutron-metadata-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file={{ neutron_log_dir }}/neutron-metadata-agent.log"
   config_overrides: "{{ neutron_metadata_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_metadata_agent_init_overrides }}"
@ -424,7 +424,7 @@ neutron_services:
   service_en: "{{ neutron_metering | bool }}"
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: metering_agent.ini
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file=/var/log/neutron/neutron-metering-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file={{ neutron_log_dir }}/neutron-metering-agent.log"
   config_overrides: "{{ neutron_metering_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_metering_agent_init_overrides }}"
@ -444,7 +444,7 @@ neutron_services:
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: l3_agent.ini
   service_rootwrap: rootwrap.d/l3.filters
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file=/var/log/neutron/neutron-l3-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file={{ neutron_log_dir }}/neutron-l3-agent.log"
   config_overrides: "{{ neutron_l3_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_l3_agent_init_overrides }}"
@ -456,7 +456,7 @@ neutron_services:
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: lbaas_agent.ini
   service_rootwrap: rootwrap.d/lbaas-haproxy.filters
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file=/var/log/neutron/neutron-lbaasv2-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-lbaasv2-agent.log"
   config_overrides: "{{ neutron_lbaas_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_lbaas_agent_init_overrides }}"
@ -467,7 +467,7 @@ neutron_services:
   service_en: "{{ neutron_bgp | bool }}"
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: bgp_dragent.ini
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file=/var/log/neutron/neutron-bgp-dragent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file={{ neutron_log_dir }}/neutron-bgp-dragent.log"
   config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_bgp_dragent_init_overrides }}"
@ -479,7 +479,7 @@ neutron_services:
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: vpnaas_agent.ini
   service_rootwrap: rootwrap.d/vpnaas.filters
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file=/var/log/neutron/neutron-vpn-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-vpn-agent.log"
   config_overrides: "{{ neutron_vpnaas_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_vpn_agent_init_overrides }}"
@ -488,7 +488,7 @@ neutron_services:
   group: neutron_server
   service_name: neutron-server
   service_en: True
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file=/var/log/neutron/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file={{ neutron_log_dir }}/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}"
   init_config_overrides: "{{ neutron_server_init_overrides }}"
   start_order: 1
 calico-felix:
@ -523,7 +523,7 @@ neutron_services:
   service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}"
   service_conf_path: "{{ neutron_conf_dir }}"
   service_conf: plugins/ml2/sriov_nic_agent.ini
-   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file=/var/log/neutron/neutron-sriov-nic-agent.log"
+   config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file={{ neutron_log_dir }}/neutron-sriov-nic-agent.log"
   config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}"
   config_type: "ini"
   init_config_overrides: "{{ neutron_sriov_nic_agent_init_overrides }}"